Skip to content

fix(publish): read release body via env, not inline shell interpolation#11

Merged
tastybento merged 1 commit into
masterfrom
fix/publish-changelog-shell-injection
Jul 1, 2026
Merged

fix(publish): read release body via env, not inline shell interpolation#11
tastybento merged 1 commit into
masterfrom
fix/publish-changelog-shell-injection

Conversation

@tastybento

Copy link
Copy Markdown
Member

Problem

publish-platforms.yml's prep step staged the changelog with:

BODY=${{ toJSON(github.event.release.body) }}

toJSON escapes ", \ and newlines, but not backticks or $(...), which remain live inside the resulting double-quoted shell string. A release whose body contains an inline `code` span therefore executes it as a command:

line 26: Util.componentToLegacy: command not found
##[error]Process completed with exit code 127.

This broke BentoBox's 3.18.1 CurseForge/Hangar publish (failed run), is a shell-injection vector (a crafted release body could run arbitrary commands on the runner), and also left literal \r\n in changelog.md.

Fix

Pass the body through the environment and read it with "$RELEASE_BODY", so the shell never parses its contents:

    env:
      RELEASE_BODY: ${{ github.event.release.body }}
    run: |
      ...
      BODY="${RELEASE_BODY:-}"
      if [ -z "$BODY" ] || [ "$BODY" = "null" ]; then BODY="Release $VERSION"; fi

Backticks, $(...) and $VAR in release notes are now preserved literally, real newlines survive, and manual workflow_dispatch (no release event → empty body) still falls back to Release $VERSION.

Blast radius

This reusable workflow is used by every BentoBox repo's publish, so the fix applies org-wide. Consumers pin it by SHA; they'll pick up the fix when they re-pin to the merge commit.

🤖 Generated with Claude Code

https://claude.ai/code/session_0153KLwL66bB31pTc4BtsTMd

The prep step set BODY=${{ toJSON(github.event.release.body) }}. toJSON
escapes quotes/backslashes/newlines but NOT backticks or $(...), so those
stay live inside the resulting double-quoted shell string. A release body
containing an inline `code` span (backticks) therefore ran as a command
(exit 127 "command not found") and aborted the publish; it was also a
shell-injection vector and left literal \r\n in changelog.md.

Pass the body through the environment (RELEASE_BODY) and read it with
"$RELEASE_BODY" so the shell never parses its contents. Manual dispatch
(no release event) yields an empty body and still falls back to
"Release $VERSION".

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_0153KLwL66bB31pTc4BtsTMd
@tastybento tastybento merged commit fe4b1f0 into master Jul 1, 2026
tastybento added a commit to BentoBoxWorld/BentoBox that referenced this pull request Jul 1, 2026
Picks up BentoBoxWorld/.github#11 — the publish prep step now reads the
release body from an env var instead of inlining it into the shell, so
backticks/$() in release notes no longer break the CurseForge/Hangar
publish (as happened on 3.18.1).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_0153KLwL66bB31pTc4BtsTMd
@tastybento tastybento deleted the fix/publish-changelog-shell-injection branch July 1, 2026 06:10
tastybento added a commit to BentoBoxWorld/Biomes that referenced this pull request Jul 1, 2026
Picks up BentoBoxWorld/.github#11 — the publish prep step now reads the
release
body from an environment variable instead of inlining it into the shell.
Inline
interpolation left backticks and command-substitution live inside the
shell
string, which broke the CurseForge/Hangar publish when release notes
contained
inline code (as happened on BentoBox 3.18.1). No change to this repo's
build.

Generated with Claude Code.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant